Hackers penetrate smut site, claim to have slurped users' privates

Hackers claim to have made off credit card records and other personal information after mounting a smash-and-grab raid on porn site Digital Playground.

A previously unknown group called the The Consortium claims to have extracted the user names, email addresses and passwords of 73,000 subscribers to the grumble flick portal. That's potentially embarrassing enough by itself, but the crackers also claim to have extracted the numbers, expiry dates and security codes for 40,000 credit cards. The Consortium published a sample of the data it stole (login credentials, internal emails, software licence keys) as evidence of the hack, which seems to have been motivated more by mischief than profit-motivated cybercrime.

The Consortium, which claims affiliation to hacktivist group Anonymous, claims the Digital playground site was so riddled with security holes that it acted as a irresistable target. "We did not set out to destroy them but they made it too enticing to resist," the group said in a statement posted online. "So now our humble crew leave lulz and mayhem in our path."

Hacktivists claim that the credit card data they have swiped was unencrypted but this remains unconfirmed.

The Digital Playground site has been left online but the site has placed a moratorium on accepting new members while it investigates the hack.

The website is managed and run by Luxembourg-based firm Manwin, which told porn industry news site AVN that it only took on the management of the site on 1 March – possibly after the breach had actually taken place, the BBC reports. Digital Playground subscribers are been notified of the breach which at the very least will mean changing their passwords. It's unclear if any instances of fraud have resulted from the breach.

Manwin confirmed to El Reg that it officially took over Digital Playground and related assets on 1 March, 2012, and said that a security breach may have occurred prior to that date.

Due to the alleged breach, Manwin elected to temporarily shut down DigitalPlayground.com and related websites on 5 March, 2012.

The site was operational again for existing members on 11 March, it said. Manwin said that security parameters had been verified and that the entire system had been upgraded during this time period.

Members will not be billed for the period the site was inactive, a spokesperson added.

Further coverage of the story can be found here. Security commentary via Sophos' Naked security blog can be found here.

The breach is the latest in a growing list of security incidents to affect smut sites in recent weeks.

Coding errors that had lain dormant for years exposed the email addresses and passwords of YouPorn sex chat site, YP Chat, to all and sundry, it emerged last month.

In an unrelated breach last month, a teenage hacker broke into Brazzers, the hardcore porn portal, before making off with hundreds of thousands of user login details. Brazzers admitted the breach but stressed that no credit card data had been exposed. The self-declared perp uploaded data samples and claimed affiliation with Anonymous, a pattern repeated with the latest breach.

Anonymous splinter group LulzSec carried out a similar operation against smut site Pron.com last June. ®

Bootnote

Digital Playground, based in the San Fernando (porn) Valley region near Los Angeles is one of the biggest adult movie studios in the US. The operation prides itself on being something of a trailblazer for new technologies in the adult industry, for example pioneering the application of HD and three-dimension technology to porn. Digital's chief executive Samantha Lewis told the BBC that many technology brands use the adult industry to test new markets, albeit in absolute secrecy.